Description
The WebSocket functionality in Storybook’s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Recommendation
Update the storybook package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0-beta.0, < 10.2.10 >= 8.7.0-alpha.0, < 9.1.19 >= 8.1.0, < 8.6.17** Patched version(s): **10.2.10 9.1.19 8.6.17**
References
Related Issues
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
- Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - CVE-2026-2229
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- Tags:
- npm
- storybook
Anything's wrong? Let us know Last updated on February 26, 2026